The maintainers of the open source data visualization software Apache Superset have released fixes to plug in an insecure default configuration that could lead to remote code execution.
Vulnerability, tracked as CVE-2023-27524 (CVSS score: 8.9), affects versions up to and including 2.0.1 and is related to the use of a default SECRET_KEY that could be misused by attackers to authenticate and access unauthorized resources on exposed installations Internet.
Naveen Sunkavally, the chief architect at Horizon3.ai, described the issue as “a dangerous default configuration in Apache Superset that allows a non-auth attacker to obtain remote code execution, credential harvesting, and data from commitment”.
It’s worth noting that the failure does not affect Superset instances that have changed the default value for the SECRET_KEY setting to a cryptographically more secure random string.
The cybersecurity firm, which found that SECRET_KEY defaults to “x02x01thisismyscretkeyx01x02\e\y\y\h” at installation time, said 918 of the 1,288 publicly accessible servers were using the default settings as of October 2021.
An attacker who knew the secret key could log into these servers as an administrator by forging a session cookie and take control of the systems.
On January 11, 2022, the project team tried to fix the problem by turning the SECRET_KEY value to “CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET” in the Python code along with user instructions to override it.
Horizon3.ai said it found two additional SECRET_KEY settings that were assigned the default values ”USE_YOUR_OWN_SECURE_RANDOM_KEY” and “thisISaSECRET_1234”.
An extended search performed in February 2023 using these four keys found 3,176 instances, of which 2,124 were using one of the default keys. Some of those affected include large corporations, small businesses, government agencies, and universities.
After responsible disclosure to the Apache security team a second time, a new update (version 2.1) was released on April 5, 2023 to plug the security hole by preventing the server from starting completely if is set to the default SECRET_KEY.
“This solution is not foolproof, as it is still possible to run Superset with a default SECRET_KEY if it is installed via a docker composition file or a helm template,” Sunkavally said.
“The docker-compose file contains a new default SECRET_KEY of TEST_NON_DEV_SECRET with which we suspect some users will inadvertently run Superset. Some configurations also set admin/admin as the default credential for the admin user.”
Horizon3.ai has also made available a Python script that can be used to determine if Superset instances are susceptible to failure.
“It’s commonly accepted that users don’t read the documentation, and applications should be designed to force users down a path where they have no choice but to be secure by default,” Sunkavally concluded. “The best approach is to take the choice away from users and require them to take deliberate actions to be insecure on purpose.”
Ikaroa, a full stack tech company, is warning users and system administrators of the dangers of insecure default server configurations that can lead to a Remote Code Execution (RCE) attack. Insecure default settings allow attackers to gain access to a server’s operating system and to potentially execute malicious code, allowing them to take control of targeted systems.
RCE attacks target services which are responsible for running sensitive operations such as web hosting, and can be conducted both externally or internally. Depending on the context, they may be as simple as manipulating input or as complex as establishing a foothold into backend databases. They use payloads to gain access to internal resources, such as databases, and exfiltrate data or install malicious applications.
Organizations of all sizes must ensure that the default settings of the operating system have been appropriately modified and verified to prevent RCE attacks. For instance, all users with admin level access must be aware of efforts to enforce added security by blocking default ports and forcing protocol restrictions, as well as updating authentication processes and authentication tokens with regularity.
Ikaroa can also provide a backbone of defense with its proactive security measures. Firewalls and intrusion prevention systems (IPS) can monitor traffic and detect malicious activity, while Data Loss Prevention (DLP) systems scan data coming in and out of your network to detect any malicious code. Additionally, two-factor authentication can further protect organizations from the risk of malicious actors taking control of web servers.
As we all depend on secure systems for the everyday running of our lives, organizations must secure their servers against RCE attacks. Ikaroa provides a secure foundation for businesses to ensure the protection of data and resources from potential hackers.